Does F5 ASM offer any protection against cve-2022-22536? This is a SAP Netweaver vulnerability.I havent seen anything posted on AskF5

AskF5 has posted a solution: K11248009

cve-2022-22536 protections from F5?

Daniel_Wolf
MVP
Feb 14, 2022
Hi Jim_M,

The descripton for CVE-2022-22536 states: SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.

There are two attack signatures that will protect against request smuggling:
* Signature ID: 200018085, Request Smuggling Attempt (CR Before CL Header)
* Signature ID: 200018086, Request Smuggling Attempt (SP/CL after Header)

I didn't see anything in the Threat Campaign signatures yet.

KR
Daniel
- Daniel_Wolf
  MVP
  Feb 21, 2022
  Short update:
  
  F5 has added a Bot Signature for Onapsis ICMAD tool which is known as a tool that attempts to exploit SAP products that are vulnerable to request smuggling and request concatenation.
  
  With Advanced WAF and an active Threat Campaigns subscription Bot Signatures can be updated dynamically. Otherwise Bot Signature Updates come with every major BIG-IP release. See K82512024: Managing BIG-IP ASM Live Updates (14.1.x and later).
  
  Bot Signatures: Class of signatures that identify legitimate or malicious web robots by looking for specific patterns in the headers of incoming HTTP requests. With the release of BIG-IP 14.1.0, this feature requires a separate license. Bot signature updates are part of the Threat Campaigns subscription-based service license. Without a Threat Campaigns license, bot signatures cannot be updated using manual or automatic updates; however, you can still add custom bot signatures.
  
  EDIT: Now there is also an Attack Signature that was added on 15. February 2022.
  Signature ID: 200020213
  Name: SAP NetWeaver request smuggling
Pedro_Roure
Cirrus
Feb 14, 2022

Give a look at the KB below. It contains a link with all attack signatures provided by F5.
https://support.f5.com/csp/article/K62525205
Or you can look for directly in the device by using this other KB:
https://support.f5.com/csp/article/K45558510
JRahm
Admin
Feb 22, 2022
AskF5 has posted a solution: K11248009

Forum Discussion

cve-2022-22536 protections from F5?

Recent Discussions

Can you set Kerberos AAA server via session variable?

HTML Code injection Not detected by ASM

What will be happen to live and existing connections when failover HA BIG IP active-standby

SSL Offload and remove FQDN

High CPU utilization (100%).

Related Content

L7 DoS Protection with NGINX App Protect DoS

Beyond REST: Protecting GraphQL

Managing NGINX App Protect WAF for Beginners

F5 Distributed Cloud Bot Defense Protecting AWS CloudFront Distributions

Cookie-based DDoS protection

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS